From 336363e0e42abf3e51fe135043e911d2024884e8 Mon Sep 17 00:00:00 2001 From: changtao Date: Wed, 18 Sep 2024 20:47:57 +0800 Subject: [PATCH] fix CVE-2020-13596 --- 0001-fix-CVE-2020-13596.patch | 85 +++++++++++++++++++++++++++++++++++ python-django.spec | 10 ++++- 2 files changed, 93 insertions(+), 2 deletions(-) create mode 100644 0001-fix-CVE-2020-13596.patch diff --git a/0001-fix-CVE-2020-13596.patch b/0001-fix-CVE-2020-13596.patch new file mode 100644 index 0000000..4f6dde3 --- /dev/null +++ b/0001-fix-CVE-2020-13596.patch @@ -0,0 +1,85 @@ +From 6d61860b22875f358fac83d903dc629897934815 Mon Sep 17 00:00:00 2001 +From: Jon Dufresne +Date: Wed, 18 Sep 2024 20:37:30 +0800 +Subject: [PATCH] [2.0.x] Fixed CVE-2020-13596 -- Fixed potential XSS in admin + ForeignKeyRawIdWidget. + +--- + django/contrib/admin/widgets.py | 2 +- + docs/releases/2.2.13.txt | 8 ++++++++ + tests/admin_widgets/models.py | 6 ++++++ + tests/admin_widgets/tests.py | 9 +++++++++ + 4 files changed, 24 insertions(+), 1 deletion(-) + +diff --git a/django/contrib/admin/widgets.py b/django/contrib/admin/widgets.py +index 3d11a40..40dba16 100644 +--- a/django/contrib/admin/widgets.py ++++ b/django/contrib/admin/widgets.py +@@ -11,7 +11,7 @@ from django.core.validators import URLValidator + from django.db.models import CASCADE, UUIDField + from django.urls import reverse + from django.urls.exceptions import NoReverseMatch +-from django.utils.html import smart_urlquote ++from django.utils.http import urlencode + from django.utils.http import urlencode + from django.utils.text import Truncator + from django.utils.translation import get_language +diff --git a/docs/releases/2.2.13.txt b/docs/releases/2.2.13.txt +index 3e455e7..d4a17d8 100644 +--- a/docs/releases/2.2.13.txt ++++ b/docs/releases/2.2.13.txt +@@ -6,6 +6,14 @@ Django 2.2.13 release notes + + Django 2.2.13 fixes two security issues and a regression in 2.2.12. + ++CVE-2020-13596: Possible XSS via admin ``ForeignKeyRawIdWidget`` ++================================================================ ++ ++Query parameters for the admin ``ForeignKeyRawIdWidget`` were not properly URL ++encoded, posing an XSS attack vector. ``ForeignKeyRawIdWidget`` now ++ensures query parameters are correctly URL encoded. ++ ++ + CVE-2020-13254: Potential data leakage via malformed memcached keys + =================================================================== + +diff --git a/tests/admin_widgets/models.py b/tests/admin_widgets/models.py +index 0113ecb..093ff5a 100644 +--- a/tests/admin_widgets/models.py ++++ b/tests/admin_widgets/models.py +@@ -29,6 +29,12 @@ class Member(models.Model): + def __str__(self): + return self.name + ++class UnsafeLimitChoicesTo(models.Model): ++ band = models.ForeignKey( ++ Band, ++ models.CASCADE, ++ limit_choices_to={'name': '"&>\n' ++ '' ++ ) + + @override_settings(ROOT_URLCONF="admin_widgets.urls") + class ForeignKeyRawIdWidgetTest(TestCase): +-- +2.43.0 + diff --git a/python-django.spec b/python-django.spec index ac31c22..c62d152 100644 --- a/python-django.spec +++ b/python-django.spec @@ -1,12 +1,12 @@ %global _empty_manifest_terminate_build 0 Name: python-django Version: 4.2.15 -Release: 1 +Release: 2 Summary: A high-level Python Web framework that encourages rapid development and clean, pragmatic design. License: Apache-2.0 and Python-2.0 and BSD-3-Clause URL: https://www.djangoproject.com/ Source0: https://files.pythonhosted.org/packages/source/d/Django/Django-%{version}.tar.gz - +Patch0001: 0001-fix-CVE-2020-13596.patch BuildArch: noarch %description A high-level Python Web framework that encourages rapid development and clean, pragmatic design. @@ -72,6 +72,12 @@ mv %{buildroot}/doclist.lst . %{_docdir}/* %changelog +* Thu Sep 19 2024 changtao - 4.2.15-2 +- Type: bugfix +- CVE: CVE-2020-13596 +- SUG: NA +- DESC: Fix CVE-2020-13596 + * Thu Aug 08 2024 yaoxin - 4.2.15-1 - Update to 4.2.15 * CVE-2024-41989: Memory exhaustion in ``django.utils.numberformat.floatformat()`` -- Gitee